Should you or should you not hire an internal CISO?
That is the question

Judy HomerPresident, JB Homer Associates

Based on our experience in recruiting Chief Information Security Officers and from recent conversations with CEOs, COOs, and CIOs, we have discovered why some companies may, or may not, need a dedicated Chief Information Security Officer (CISO) for their organization.

As all companies are more vulnerable today, the information security risk profile becomes an essential component of the company's overall business model and risk profile, which dictates whether or not to employ a separate CISO. CISO's are offered more enticing challenges and can add greater everyday value in industries such as Education, Healthcare, Financial Services, and Retail which have extensive databases chock full of sensitive financial and private personal information subject to breaches. In the case of Education, universities tend to be underfunded in IT Security, a fact that is well-known to hackers.

Information Security has become more of a Board mandate following the well-documented Target Corp. breach. It is the obligation of the Board to improve oversight and governance for cyber-security, and their most important concern is how security is being handled and how the company is organized to protect itself. CISO's are now expected to understand and articulate the business risk of cyber threats to non-technical stakeholders, and become educators for both the Board and the workforce. As a result, and because of its fiduciary obligation to protect its shareholders, information security-savvy Boards are appointing CISOs to protect the organization.

Companies are elevating cyber-security as a reputational and operational risk management priority, and the proper due-diligence of cyber-security is not only a risk management function but also a reality of modern-day brand protection. In addition, security is not just about protecting the business and its brand. It is also about being able to ensure the safety of consumers. Hackers have been able to compromise entire governmental systems including: The National Health Service, which is the public health service system in the UK that was recently hit with an extensive ransomware attack. That attack hijacked the computer systems, and temporarily rendered them inoperable and forced hospitals to turn patients away.

If a company is in the process of making a decision as to appointing a CISO or a third party service provider, a thorough examination of these security partners should be made as they have access to sensitive information that makes very attractive targets. Companies need to ensure that the vendor will abide by their own internal safeguards, policies and procedures, as well as to applicable laws, rules, regulations, and best practices. As your company's security needs evolve, there will be a point in time where you will have to evaluate whether you choose to go to a third party provider, or hire an internal CISO.